host name :raspberrypi.local 端口:22 账号为pi 密码为raspberry ########################### # General config 一般配置 # these are the default settings这些是默认设置 # the setting are only used, if not defined in the payload itself 如果未在有效负载本身中定义,则仅使用该设置 ########################### # USB setup # --------------------------- # Make sure to change USB_PID if you enable different USB functionality in order # to force Windows to enumerate the device again 如果按顺序启用不同的USB功能,请务必更改USB_PID强制Windows再次枚举设备 USB_VID="0x1d6b" # Vendor ID USB_PID="0x0137" # Product ID 这段设置是否要启动键盘鼠标HID之类的东西 USE_ECM=true # if true CDC ECM will be enabled USE_RNDIS=true # if true RNDIS will be enabled USE_HID=false # if true HID (keyboard) will be enabled USE_HID_MOUSE=true # if true HID mouse will be enabled USE_RAWHID=false # if true a raw HID device will be enabled USE_UMS=false # if true USB Mass Storage will be enabled # =========================================== # Network and DHCP options USB over Ethernet #通过USB以太网设置网络和DHCP # =========================================== 我们选择具有非常小的子网IP # We choose an IP with a very small subnet (see comments in README.rst) IF_IP="172.16.0.1" # IP used by P4wnP1 IF_MASK="255.255.255.252" IF_DHCP_RANGE="172.16.0.2,172.16.0.2" # DHCP Server IP Range ROUTE_SPOOF=false # set two static routes on target to cover whole IPv4 range WPAD_ENTRY=false # provide a WPAD entry via DHCP pointing to responder # ============================ # WiFi options (only Pi Zero W) # ============================ WIFI_NEXMON=false # Experimental: enables the use of Nexmon driver + firmware to add monitor mode capability WIFI_NEXMON_BRING_UP_MONITOR_FIRST=true # if this option is set to true, the additional monitor interface is brought up before hostapd is started (and thus not available to hostapd) WIFI_REG=US # WiFi regulatory domain (if not set accordingly, WiFi channels are missing) # Access Point Settings # --------------------- WIFI_ACCESSPOINT=true WIFI_ACCESSPOINT_NAME="P4wnP1" #这里设置你WIFI名字 WIFI_ACCESSPOINT_AUTH=true # Use WPA2_PSK if true, no authentication if false 是否使用WPA2_PSK协议 WIFI_ACCESSPOINT_CHANNEL=6 #访问渠道 WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1" #这里设置你的密码 WIFI_ACCESSPOINT_IP="172.24.0.1" # 这是你连接WIFI后用putty访问的IP WIFI_ACCESSPOINT_NETMASK="255.255.255.0" WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range WIFI_ACCESSPOINT_HIDE_SSID=false # use to hide SSID of WLAN (you have to manually connect to the name given by WIFI_ACCESSPOINT_NAME)这里设置你的SSID是否隐藏如果隐藏你要通过NAME来链接 WIFI_ACCESSPOINT_DHCP_BE_GATEWAY=false # propagate P4wnP1 as router if true (only makes sense when an upstream is available 如果为true把P4wnP1作为路由器 WIFI_ACCESSPOINT_DHCP_BE_DNS=false # propagate P4wnP1 as nameserver if true (only makes sense when an upstream is available 如果为true把P4wnP1作为nameserver(这是啥??? WIFI_ACCESSPOINT_DNS_FORWARD=false # if true, P4wnP1 listens with a DNS forwader on UPD port 53 of the WiFi interface (traffic is forwaded to P4wnP1's system DNS) #如果为true,则P4wnP1在WiFi接口的UPD端口53上侦听DNS转发器(流量被转发到P4wnP1的系统DNS) WIFI_ACCESSPOINT_KARMA=false # enables Karma attack with modified nexmon firmware, requires WIFI_NEXMON=true WIFI_ACCESSPOINT_KARMA_LOUD=false # if true beacons for SSIDs spotted in probe requests are broadcasted (maximum 20)是否广播了探测请求中发现的SSID的真实信标 # WiFi Client Settings # -------------------- WIFI_CLIENT=false # enables connecting to existing WiFi (currently only WPA2 PSK) #可以连接到现有的WiFi(目前只有WPA2 PSK) # example payload: wifi_connect.txt # Warning: could slow down boot, because: # - scan for target network is issued upfront # - DHCP client is started and waits for a lease on WiFi adapter # Note: if WIFI_ACCESSPOINT is enabled, too: # - P4wnP1 tries to connect to the given WiFi # - if connection fails, the AccessPoint is started instead WIFI_CLIENT_SSID="Accespoint Name" # name of target network 目标网络的名称 WIFI_CLIENT_PSK="AccessPoint password" # passphrase for target network 目标网络的密码 WIFI_CLIENT_STORE_NETWORK=false # unused right now, should be used to store known networks, but priority has to be given if multiple known networks are present如果有多个网络则在这里设置优先级 WIFI_CLIENT_OVERWRITE_PSK=true # unused right now, in case the network WIFI_CLIENT_STORE_NETWORK is set an existing PSK gets overwritten # ================================== # Keyboard settings for HID keyboard # HID键盘的键盘设置 # ================================== lang="us" # Keyboard language for outhid and duckhid commands HID_KEYBOARD_TEST=true # if enabled 'onKeyboardUp' is fired as soon as the host initializes the keyboard # =============================================== # Settings for reachback connections with AutoSSH # 使用AutoSSH进行返回连接的设置 # =============================================== AUTOSSH_ENABLED=false # if enabled P4wnP1 will continuously try to bring up a SSH connection tunneling out its internal SSH server to a remote SSH Server #如果启用,P4wnP1将不断尝试启动SSH连接,将其内部SSH服务器隧道传输到远程SSH服务器 AUTOSSH_REMOTE_HOST=YourSSH-server.com # host address of the remote SSH server #远程SSH服务器的主机地址 AUTOSSH_REMOTE_USER=root # valid user of the remote SSH server (passwordless login has to be possible with the key given by AUTOSSH_PRIVATE_KEY) #远程SSH服务器的有效用户 AUTOSSH_PRIVATE_KEY="$wdir/ssh/keys/P4wnP1_id" # private key used to login to the remote server (has to be present in ~/.ssh/authorized_keys file of AUTOSSH_REMOTE_USER) #用于登录远程服务器的私钥(必须出现在AUTOSSH_REMOTE_USER的〜/ .ssh / authorized_keys文件中) AUTOSSH_PUBLIC_KEY="$wdir/ssh/keys/P4wnP1_id.pub" # this key has to be present in ~/.ssh/authorized_keys file of AUTOSSH_REMOTE_USER, (use ./ssh/pushkey.sh to assist) #此密钥必须出现在AUTOSSH_REMOTE_USER的〜/ .ssh / authorized_keys文件中,(使用./ssh/pushkey.sh来协助) AUTOSSH_REMOTE_PORT=8765 # P4wnP1's SSH shell will be reachable at this port on the remote SSH server (the port is bound to localhost and thus not exposed to public facing IP) #P4wnP1的SSH shell将在远程SSH服务器上的此端口上可访问(该端口绑定到localhost,因此不会暴露给面向公众的IP) # ============================= # Settings for Bluetooth PAN (Pi Zero W only) # 蓝牙设置(目前没啥用....) # ============================= # Note: Connecting Bluetooth Network Access Point (NAP) with a mobile device # requires to disable other networks with internet access on this device in most cases # (like WiFi). # NAP provided by P4wnP1 doesn't necessarily provide Internet access, but is used to # grant network access on P4wnP1 via bluetooth. The alternative would be to establish # a "Group Network (GN)" instead of NAP, which unfortunately didn't work in most test cases, # when it cames to connection of a mobile device. # So if Internet should be provided from P4wnP1 via NAP (which isn't the purpose of P4wnP1), # P4wnP1 itself has to be connected to Internet (for example using RNDIS + ICS on windows or # using the WiFi client mode). Additionally iptables rules have to be deployed to enable MASQUERADING # on the respective outbound interface. # # To summerize: P4wnP1 provides NAP as access option to SSH via bluetooth, not to serve Internet, # although this could be achieved. BLUETOOTH_NAP=false # Enable Bluetooth NAP to SSH in via Bluetooth BLUETOOTH_NAP_PIN=1337 # unused, PIN authentication currently not working (custom agent for bluez 5 needed) BLUETOOTH_NAP_IP="172.26.0.1" # IP used by P4wnP1 BLUETOOTH_NAP_NETMASK="255.255.255.0" BLUETOOTH_NAP_DHCP_RANGE="172.26.0.2,172.26.0.100" # DHCP Server IP Range BLUETOOTH_PAN_AUTO=false # Overides BLUETOOTH_NAP !! Instead of providing a NAP P4wnP1 tries to use an existing bluetooth NAP as soon as a device providing one has paired # AND CONNECTED (not the common behavior for a device providing bluetooth tethering, but possible) # Important: P4wnP1 doesn't try to pair or connect a device on its own, but is discoverable (although no bluetooth services are provided) # ============================= # Settings for USB Mass Storage # ============================= # ===================== # Payload selection # ===================== PAYLOAD=network_only.txt #PAYLOAD=wifi_covert_channel/hid_only_delivery64.txt # WiFi covert channel (HID only delivery), insert P4wnP1 to target, press NUMLOCK rapidly to infect ... remove P4wnP1 and provided it with Power, lock in via WiFi and use the C2 server for the covert channel #WiFi隐蔽通道(仅HID发送),将P4wnP1插入目标,快速按NUMLOCK感染...删除P4wnP1并提供电源,通过WiFi锁定并使用C2服务器进行隐蔽通道 #PAYLOAD=wifi_covert_channel/hid_only_delivery32.txt # 32bit version untested #上面payload的32位版本 #PAYLOAD=wifi_covert_channel/hid_only_delivery64_bt_only.txt # WiFi covert channel version which use Bluetooth instead of a WiFi AP to provide C2 server access (no visible P4wnP1 WiFi, at all) #WiFi隐蔽频道版本使用蓝牙而不是WiFi AP提供C2服务器访问(根本没有可见的P4wnP1 WiFi) #PAYLOAD=nexmon/karma.txt # Experimental Rogue AP in Karma mode using Nexmon (seemoo-lab) firmware for Monitor/Injection (+ MaMe82 KARMA firmware mod) and Responder #Karma模式下的实验性Rogue AP,使用Nexmon(seemoo-lab)固件进行监视/注入(+ MaMe82 KARMA固件模块)和响应程序 #PAYLOAD=nexmon/karma_bt_upstream.txt #PAYLOAD=hid_mouse.txt # HID mouse demo: Shows different ways of positioning the mouse pointer, using P4wnP1's MouseScript languag #HID鼠标演示:使用P4wnP1的MouseScript语言显示定位鼠标指针的不同方法 #PAYLOAD=hid_backdoor_remote.txt # AutoSSH "reachback" version of hid_backdoor (see payload comments for details) #AutoSSH“返回”版本的hid_backdoor(有关详细信息,请参阅有效负载评论) #PAYLOAD=wifi_connect.txt #PAYLOAD=stickykey/trigger.txt # Backdoor Windows LockScreen with SYSTEM shell, triggered by NUMLOCK, trigger SCROLLLOCK to revert the changes #带有SYSTEM shell的后门Windows LockScreen,由NUMLOCK触发,触发SCROLLLOCK以恢复更改 #PAYLOAD=hakin9_tutorial/payload.txt # steals stored plain credentials of Internet Explorer or Edge and saves them to USB flash drive (for hakin9 tutorial) #窃取存储的Internet Explorer或Edge的简单凭据并将其保存到USB闪存驱动器(适用于hakin9教程) #PAYLOAD=Win10_LockPicker.txt # Steals NetNTLMv2 hash from locked Window machine, attempts to crack the hash and enters the plain password to unlock the machin on success #从锁定的Window机器窃取NetNTLMv2哈希,尝试破解哈希并输入普通密码以解锁成功的机器 #PAYLOAD=hid_backdoor.txt # under (heavy) development #正在开发(重写嘛 #PAYLOAD=hid_frontdoor.txt # HID covert channel demo: Triggers P4wnP1 covert channel console by pressing NUMLOCK 5 times on target (Windows) #HID隐蔽频道演示:通过在目标上按NUMLOCK 5次触发P4wnP1隐蔽频道控制台(Windows) #PAYLOAD=hid_keyboard.txt # HID keyboard demo: Waits till target installed keyboard driver and writes "Keyboard is running" to notepad #HID键盘演示:等待直到目标安装的键盘驱动程序并将“键盘正在运行”写入记事本 #PAYLOAD=hid_keyboard2.txt # HID keyboard demo: triggered by CAPS-, NUM- or SCROLL-LOCK interaction on target #HID键盘演示:由目标上的CAPS-,NUM-或SCROLL-LOCK交互触发